Front page | perl.perl5.porters |
Postings from May 2003
Hello,
>> A week ago I notified people about the possible issues in Perl's taint
>> checker with respect to format string issues. I have not received any
>> responses since then.
>>
>> Has the Perl development community decided that the taint checker
>> should not be changed? If so, then I would like to include a
>> statement to that effect. I am delaying the release of this advisory
>> just in case the Perl community wants to change the taint checker.
>
>Did this ever get resolved?
Well, there is a general question as to whether this should be Perl's
responsibility in the first place, or that of the application
developer.
I did obtain this statement from one of the developers (unfortunately
I didn't record who it was):
These issues do not represent a substantial security hole in perl
itself. Future versions of perl may extend tainting checks to
format strings, or just to certain aspects of formats (such as
%n).
- Steve